Details and best practices for Insight configuration in Cloud Workload Protection for Storage
search cancel

Details and best practices for Insight configuration in Cloud Workload Protection for Storage


Article ID: 205230


Updated On:


Cloud Workload Protection for Storage


You are using Symantec Cloud Workload Protection for Storage (CWPs) and would like to know more about Insight, what it does, and best practices for configuration.


About Insight

Symantec collects information about files from its global community of millions of users and its Global Intelligence Network. The collected information is available to Symantec products in the cloud through Symantec Insight. Symantec Insight provides a file reputation database and the latest virus and spyware definitions. CWPs leverages Insight to protect cloud based storage from new, targeted, and mutating threats. Cloud Workload Protection for Storage queries for file reputation in real time. The queries are called reputation lookups, cloud lookups, or Insight lookups.

Insight reputation ratings

Symantec Insight determines each file's level of risk or security rating. The rating is also known as the file's reputation.
Insight determines a file's security rating by examining the following characteristics of a file and its context:

  • The source of the file
  • How new the file is
  • How common the file is in the community
  • Other security metrics, such as how the file might be associated with malware


Insight Configuration

Insight can be configured in CWPs via the Anti-Malware policy. This policy is accessible in the console under Policies -> Anti-Malware.

Insight in CWPs is divided into two categories

File Insight
A file-based detection technology that classifies files as good or bad. The files are classified by examining the file properties, usage patterns, or users of a given file rather than scanning it. Insight-based security puts files in context, using their age, frequency, location, and more to expose the threats that are otherwise missed.
Mobile Insight

Applies Symantec's Global Intelligence Network to classify Android application package (APK) files using Insight technology.

There are two configurations for Insight detection in CWPs

Detection Level

Determines the level at which CWPs will take action against a file and generate alerts due to its reputation.

Monitoring Level

Determines the level at which CWPs will log and generate alerts against a file due to its reputation.

These levels can be configured independently, allowing administrators to log and alert on a more aggressive basis than action is taken. This allows for a more aggressive level of monitoring, while reducing the chance of impacting vital data with false positive detections.

Detection and monitoring levels are divided into four categories

Known Bad Appropriate for highly FP-averse divisions or test environments that cannot tolerate the blocking of newly downloaded or created good files that are still building reputation (e.g., new files from little-known publishers). At this level, malware that is still building reputation may evade detection, but the system is highly unlikely to convict good files at scan time. 
Low Appropriate for most private storage accounts used in normal production. This level balances FP risk and detection to capture most malware with low FPs.
Medium Appropriate for publicly accessible storage used for file intake from unknown sources. Balances the need for security while maintaining a lower instance of false positives.
High Appropriate for highly secure environments where you wish to “lock-down” a storage account or bucket that does not
frequently contain new or unproven software. FPs on newly downloaded good files that lack a higher reputation will
occur at this level, but very little malware will evade detection.

False positive prevention

File Insight in CWPs will not detect known good files as malware. There are several ways to make sure your good files are known as ‘good’. The following steps will help prevent false positives when using CWPs

Using Digital Signatures

One of the easiest ways to identify that a file is ‘good’ is to know where it came from and who created it. An important factor in building confidence in a file being ‘good’ is to check its digital signature. Executable files without a digital signature have a higher chance of being identified as ‘unknown’ or low-reputation.
• Custom or home-grown application should be digitally signed with class three digital certificates.
• Customers should insist that their software vendors digitally sign their applications.

Add to the Symantec White List

Symantec has a growing white list of over 25 million ‘good’ files. These files are used in testing signatures before they are published. Their hash values are also stored online and used to avoid false positives on the CWPs client via real-time cloud lookups whenever a file is detected by any of our client security technologies. This white list is a powerful tool for avoiding false positives. Customers and vendors can add files to this list. Software developers can request that their executable be added to the Symantec white list at


Use the Monitoring level feature of CWPs to insure good files are not detected before increasing the aggression level of the Detection feature. This allows for adjustments to the settings or files before impacting production resources.